BasicAuth not working

Help
1

1. The problem I’m having:

Hi, I’m trying to make something along the lines of a proxy server. I am running Interstellar ( GitHub - UseInterstellar/Interstellar: One of the most popular modern web proxies with blazing fast speeds and a variety of games. ) in VSCode and use Caddy to pump it out on the internet. The issue starts when I try adding basicauth to it. When I try accessing the website (yes, I know that browsers aren’t too good for testing, but curl timeouts even when the website is working.) on Brave Browser it doesn’t load. When I use Google Chrome, basicauth works after about 1 minute of loading, but online services are not available (see error messages). Firefox returns error 401, not authorised.

2. Error messages and/or full log output:

Brave browser: This site can’t be reached
testingthatitworksabc.mooo.com took too long to respond. ERR_TIMED_OUT

Google Chrome: RangeError: Failed to construct 'Response': The status provided (0) is outside the range [200, 599]. Only happens when trying to access resources that are online.

Firefox: Error code: 401 Unauthorized

3. Caddy version:

Caddy v2.10.2

4. How I installed and ran Caddy:

If I remember correctly, I cloned caddy into VSCode, and ran it with caddy run

a. System environment:

Windows 11, VSCode

b. Command:

caddy run

c. Service/unit/compose file:

not sure what this is, sorry

d. My complete Caddy config:

Caddyfile. Website works fine without the basic_auth block.

testingthatitworksabc.mooo.com {
    basic_auth {
        admin $2a$14$geI.xDTNg4cfdwZZDoowT.Bw9auh15OC2xSAuuxI6laEKKhyyzmw2
    }    
    reverse_proxy localhost:2019
}
2

No idea why you’re seeing such weird behaviour, but here’s a quick example from my laptop.

But let me say this first: unless you really need to, do NOT expose the admin API to anything beyond localhost. It’s locked down by default for a reason.

Step 1: test to see if the site is alive

example.com {
	tls internal
	
	respond "Alive!"
}

$ curl https://example.com/config/
Alive!

Step 2: proxy the site to the admin API

example.com {
	tls internal
	
	reverse_proxy localhost:2019
}

$ curl https://example.com/config/
{"error":"host not allowed: example.com"}

Step 3: try again to proxy the site to the admin API
:warning: :skull: at this point, I really hope you know what you’re doing :skull: :warning:

{
	admin localhost:2019 {
		origins example.com
	}
}

example.com {
	tls internal
	
	reverse_proxy localhost:2019
}

$ curl https://example.com/config/
{"admin":{"listen":"localhost:2019","origins":["example.com"]},"apps":{"http":{"servers":{"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:2019"}]}]}]}],"match":[{"host":["example.com"]}],"terminal":true}]}}},"tls":{"automation":{"policies":[{"issuers":[{"module":"internal"}],"subjects":["example.com"]}]}}}}

Step 4: add some basic authentication

{
	admin localhost:2019 {
		origins example.com
	}
}

example.com {
	tls internal
	
	basic_auth {
		admin $2a$14$A410L2y9j/gOYY58Husn6.2e2eOR8W/wjM5zfXcgXENrKFMLDHjDi
	}
	reverse_proxy localhost:2019
}

$ curl https://example.com/config/ -i
HTTP/2 401
alt-svc: h3=":443"; ma=2592000
server: Caddy
www-authenticate: Basic realm="restricted"
content-length: 0
date: Wed, 05 Nov 2025 01:00:50 GMT

$ curl https://example.com/config/ -u admin:REDACTED
{"admin":{"listen":"localhost:2019","origins":["example.com"]},"apps":{"http":{"servers":{"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authentication","providers":{"http_basic":{"accounts":[{"password":"$2a$14$A410L2y9j/gOYY58Husn6.2e2eOR8W/wjM5zfXcgXENrKFMLDHjDi","username":"admin"}],"hash":{"algorithm":"bcrypt"},"hash_cache":{}}}},{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:2019"}]}]}]}],"match":[{"host":["example.com"]}],"terminal":true}]}}},"tls":{"automation":{"policies":[{"issuers":[{"module":"internal"}],"subjects":["example.com"]}]}}}}

Step 5: enforce origin

{
	admin localhost:2019 {
		origins example.com
		enforce_origin
	}
}

example.com {
	tls internal
	
	basic_auth {
		admin $2a$14$A410L2y9j/gOYY58Husn6.2e2eOR8W/wjM5zfXcgXENrKFMLDHjDi
	}
	reverse_proxy localhost:2019
}

$ curl https://example.com/config/ -u admin:REDACTED
{"error":"client is not allowed to access from origin ''"}

$ curl https://example.com/config/ -u admin:REDACTED -H 'Origin: https://example.com'
{"admin":{"enforce_origin":true,"listen":"localhost:2019","origins":["example.com"]},"apps":{"http":{"servers":{"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authentication","providers":{"http_basic":{"accounts":[{"password":"$2a$14$A410L2y9j/gOYY58Husn6.2e2eOR8W/wjM5zfXcgXENrKFMLDHjDi","username":"admin"}],"hash":{"algorithm":"bcrypt"},"hash_cache":{}}}},{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:2019"}]}]}]}],"match":[{"host":["example.com"]}],"terminal":true}]}}},"tls":{"automation":{"policies":[{"issuers":[{"module":"internal"}],"subjects":["example.com"]}]}}}}
2 Likes
3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.